Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spin is no longer actively maintained (RUSTSEC-2019-0031) #42

Closed
duesee opened this issue Dec 31, 2019 · 4 comments
Closed

spin is no longer actively maintained (RUSTSEC-2019-0031) #42

duesee opened this issue Dec 31, 2019 · 4 comments

Comments

@duesee
Copy link
Contributor

duesee commented Dec 31, 2019

Hey,

Cargo Audit found that the spin crate is no longer maintained:

# cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 59 security advisories (from /home/duesee/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (187 crate dependencies)
error: Vulnerable crates found!

ID:	 RUSTSEC-2019-0031
Crate:	 spin
Version: 0.5.2
Date:	 2019-11-21
URL:	 https://github.com/mvdnes/spin-rs/commit/7516c80
Title:	 spin is no longer actively maintained
Solution: upgrade to: 

error: 1 vulnerability found!

Maybe cargo audit could be integrated as a CI test via GitHub Action, Travis, etc.?
@str4d str4d mentioned this issue Dec 31, 2019
Closed
@str4d
Copy link
Owner

str4d commented Dec 31, 2019
edited
Loading

Ooh yes, I've been meaning to add cargo audit to the CI workflow. Thanks for the reminder! I've opened #44 to track progress.

Unfortunately there's nothing I can currently do about this dependency. I do not directly depend on spin, and the dependencies that pull it in transitively (lazy_static, ring etc.) have not updated to an alternative (I note that the advisory itself indicates that there is no alternative).

This issue will be closed whenever dependencies become available that result in spin being dropped as a transitive dependency (or if spin itself resumes being maintained).

@duesee
Copy link
Contributor Author

duesee commented Dec 31, 2019

Yeah, I know. I tried to find wheather spin is really necessary, but haven't yet. I created this issue primarily to have it documented. Maybe I will take a look in a few days :-)

@duesee
Copy link
Contributor Author

duesee commented Dec 31, 2019
edited
Loading

Okay, so cargo-tree shows that ring is the only relevant dependency. (If I don't misinterpret cargo-tree's output.)

$ cargo tree
...
├── minreq v1.4.1
│   ├── rustls v0.16.0
│   │   ├── ring v0.16.9
│   │   │   ├── spin v0.5.2
...

spin in lazy_static is feature-gated and seems not to be used when building rage

# Cargo.toml in lazy_static

[features]
spin_no_std = ["spin"]
$ cargo tree --all-features
...
├── console v0.9.1
│   ├── clicolors-control v1.0.1
│   │   ├── lazy_static v1.4.0
│   │   │   └── spin v0.5.2

├── minreq v1.4.1
│   ├── rustls v0.16.0
│   │   ├── ring v0.16.9
│   │   │   ├── spin v0.5.2 (*)
...

There is also an issue which might be resolved soon briansmith/ring#921.

@str4d
Copy link
Owner

str4d commented Oct 18, 2021

spin is maintained again!

@str4d str4d closed this as completed Oct 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@str4d @duesee